Following is a step-by-step guide to creating your own CA (Certificate Authority) — and also self-signed SSL server certificates — with openssl on Linux. Self-signing is the simpler route to take, but making one’s own CA allows the signing of multiple server certificates using the same CA and involves only a few extra steps.

After using openssl to generate the necessary files, you’ll need to integrate them into Apache. This process differs between Linux distros and versions of Apache.

Making a homemade CA or self-signed certificate will cause the client web browser to prompt with a message whether to trust the certificate signing authority (yourself) permanently (store it in the browser), temporarily for that session, or to reject it. The message “web site certified by an unknown authority… accept?” may be a business liability for general public usage, although it’s simple enough for the client to accept the certificate permanently.Whichever route you take, you’ll save the periodic expense of paying a recognized signing authority. This is purely for name recognition — they’ve paid the major browser producers to have their CA pre-loaded into them. So if you’re on a budget, have a special need or small audience, this may be useful.

Before you start
You need Apache and openssl. Compiling them from source, handling dependencies, etc. is beyond the scope of this document. You can consult their documentation, or go with a mainstream Linux distro that will do the preliminary work for you.Now you need to decide whether you’ll make a CA (Certificate Authority) and sign a server certificate with it — or just self-sign a server certificate. Both procedures are detailed below.

(1A) Create a self-signed certificate.

Complete this section if you do NOT want to make a CA (Certificate Authority). If you want to make a CA, skip 1A entirely and go to 1B instead.Some steps in this document require privileged access, and you’ll want to limit access to the cert files to all but the root user. So you should su to root and create a working directory that only root has read/write access to (for example: mkdir certwork, chmod 600 certwork). Go to that directory.

Generate a server key:

openssl genrsa -des3 -out server.key 4096Then create a certificate signing request with it. This command will prompt for a series of things (country, state or province, etc.). Make sure that “Common Name (eg, YOUR name)” matches the registered fully qualified domain name of your box (or your IP address if you don’t have one). I also suggest not making a challenge password at this point, since it’ll just mean more typing for you.The default values for the questions ([AU], Internet Widgits Pty Ltd, etc.) are stored here: /etc/ssl/openssl.cnf. So if you’ve got a large number of certificate signing requests to process you probably want to carefully edit that file where appropriate. Otherwise, just execute the command below and type what needs to be typed:

These files are quite sensitive and should be guarded for permissions very carefully. Chown them to root, if you’re not already sudo’d to root. I’ve found that you can chmod 000 them. That is, root will always retain effective 600 (read) rights on everything.Now that you’ve just completed Step 1A, skip ahead to Step 2.

(1B) Generate your own CA (Certificate Authority).

Complete this section if you want to make a CA (Certificate Authority) and sign a server certificate with it. The steps for making a server certificate are also included here. If you’d rather one-time self-sign a server certificate, skip this step entirely and go to 1A instead.Some steps in this document require priviledged access, and you’ll want to limit access to the cert files to all but the root user. So you should su to root and create a working directory that only root has read/write access to (for example: mkdir certwork, chmod 600 certwork). Go to that directory.

In this step you’ll take the place of VeriSign, Thawte, etc. You’ll first build the CA key, then build the certificate itself.

The Common Name (CN) of the CA and the Server certificates must NOT match or else a naming collision will occur and you’ll get errors later on. In this step, you’ll provide the CA entries. In a step below, you’ll provide the Server entries. In this example, I just added “CA” to the CA’s CN field, to distinguish it from the Server’s CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical.

If you don’t have a fully qualified domain name, you should use the IP that you’ll be using to access your SSL site for Common Name (CN). But, again, make sure that something differentiates the entry of the CA’s CN from the Server’s CN.

This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority (the one you just created in Step #1B above.)Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name, or the IP address you specify in your Apache configuration. If they don’t match, client browsers will get a “domain mismatch” message when going to your https web server. If you’re doing this for home use, and you don’t have a static IP or DNS name, you might not even want worry about the message (but you sure will need to worry if this is a production/public server). For example, you could match it to an internal and static IP you use behind your router, so that you’ll never get the “domain mismatch” message if you’re accessing the computer on your home LAN, but will always get that message when accessing it elsewhere. Your call — is your IP stable, do you want to repeat these steps every time your IP changes, do you have a DNS name, do you mainly use it inside your home or LAN, or outside?

Sign the certificate signing request (csr) with the self-created Certificate Authority (CA) that you made earlier.

Note that 365 days is used here. After a year you’ll need to do this again.Note also that I set the serial number of the signed server certificate to “01”. Each time you do this, especially if you do this before a previously-signed certificate expires, you’ll need to change the serial key to something else — otherwise everyone who’s visited your site with a cached version of your certificate will get a browser warning message to the effect that your certificate signing authority has screwed up — they’ve signed a new key/request, but kept the old serial number. There are a couple ways to rectify that. crl’s (certificate revocation list) is one method, but beyond the scope of the document. Another method is for all clients which have stored the CA certificate to go into their settings and delete the old one manually. But for the purposes of this document, we’ll just avoid the problem. (If you’re a sysadmin of a production system and your server.key is compromised, you’ll certainly need to worry.)

The command below does a number of things. It takes your signing request (csr) and makes a one-year valid signed server certificate (crt) out of it. In doing so, we need to tell it which Certificate Authority (CA) to use, which CA key to use, and which Server key to sign. We set the serial number to 01, and output the signed key in the file named server.crt. If you do this again after people have visited your site and trusted your CA (storing it in their browser), you might want to use 02 for the next serial number, and so on. You might create some scheme to make the serial number more “official” in appearance or makeup but keep in mind that it is fully exposed to the public in their web browsers, so it offers no additional security in itself.

Make a server.key which doesn’t cause Apache to prompt for a password.

Here we create an insecure version of the server.key. The insecure one will be used for when Apache starts, and will not require a password with every restart of the web server. But keep in mind that while this means you don’t have to type in a password when restarting Apache (or worse — coding it somewhere in plaintext), it does mean that anyone obtaining this insecure key will be able to decrypt your transmissions. Guard it for permissions VERY carefully.

These files are quite sensitive and should be guarded for permissions very carefully. Chown them to root, if you’re not already sudo’d to root. I’ve found that you can chmod 000 them. That is, root will always retain effective 600 (read) rights on everything.

(2) Copy files into position and tweak Apache.

Some professors like to pause for a moment after a long lecture, and do a little recap. It’s a good pedagogical tool, so let’s do so here. If you took route 1A above, you should have four files in a working directory:server.crt: The self-signed server certificate.
server.csr: Server certificate signing request.
server.key: The private server key, does not require a password when starting Apache.
server.key.secure: The private server key, it does require a password when starting Apache.

If you took route 1B and created a CA, you’ll have two additional files:

ca.crt: The Certificate Authority’s own certificate.
ca.key: The key which the CA uses to sign server signing requests.

The CA files are important to keep if you want to sign additional server certificates and preserve the same CA. You can reuse these so long as they remain secure, and haven’t expired.

Setting up SSL: openSuSE :

(1) Make your keys and copy them into position.

Copy the resulting files into these locations. It’s possible to put them somewhere else and change the reference in the appropriate conf file in a later step, but these are the default locations:

Since /srv/www/htdocs is the location for HTTP, I suggest /srv/www-ssl/htdocs for SSL delivered pages. That way you might later consider a /srv/www-ssl/cgi-bin to compliment the /srv/www/cgi-bin (to mirror the architecture and make certain relative pathing easier to deal with depending on how you write applications). But that’s your call. Create some directory to serve SSL pages. The last command creates a little dummy index.html file for testing purposes.

Make sure the SSLEngine is on, and the SSLCertificateFile and SSLCertificateKeyFile point to the ssl.crt and ssl.key you created with the openssl commands. If you went with default locations in an earlier step, you shouldn’t have to make any special changes in this regard.

Just before the </VirtualHost> directive is closed, add the following, making tweaks as necessary for your environment. If you don’t make a directory directive, the SSL instance won’t know where to look for the doc root.

<Directory “/srv/www-ssl/htdocs”>
AllowOverride None
Order allow,deny
Allow from all
</Directory>

(6) Open up the ports on your firewall.

Go to YaST -> Security & Users -> Firewall -> Allowed Services

Make sure that HTTP and HTTPS are enabled for the External Zone. Note that this mechanism assumes port 80 and port 443 respectively. If you want to set up HTTP or HTTPS on a different port (for instance, 8080 or 444) you need to go to the Advanced screen and manually type in the port number under “TCP Ports” and describe the protocol you’re adding (for example, HTTP or HTTPS) in the last line under “IP Protocols.” If you have a router, it probably carries additional firewall rules. You’ll need to open up the appropriate port(s) there as well. That’s beyond the scope of this document, but should be in the docs that pertain to your hardware.

The developer.nokia.com/community discussion forum was offline and under maintenance for sometime now, only for Nokia to officially announce that the forum had had a security breach. I quote :

During our ongoing investigation of the incident we have discovered that
a database table containing developer forum members' email addresses
has been accessed, by exploiting a vulnerability in the bulletin board
software that allowed an SQL Injection attack. Initially we believed
that only a small number of these forum member records had been
accessed, but further investigation has identified that the number is
significantly larger.
The database table records includes members’ email addresses and, for
fewer than 7% who chose to include them in their public profile, either
birth dates, homepage URL or usernames for AIM, ICQ, MSN, Skype or
Yahoo. However, they do not contain sensitive information such as
passwords or credit card details and so we do not believe the security
of forum members’ accounts is at risk. Other Nokia accounts are not
affected.

As of March 1st, 2010, Google has dropped support for Microsoft longest standing web browser, the IE6. Meaning that Google docs, Google Apps, Gmail and all other Google services will no longer support the ageing browser in an effort to introduce new features to these services.

According to market research firm Net Applications, Internet Explorer had roughly 67 percent of the worldwide browser market in August, while the Mozilla foundation’s Firefox had 23 percent and Apple Inc’s Safari browser had 4 percent. This was true on Aug 2009.

“Because iFolder is a cross-platform distributed solution, there is a possibility of a virus infection on a platform migrating across the iFolder server to other platforms, and vice versa. You should enforce server-based virus scanning to prevent viruses from entering the corporate network.”

This solution applies for openSuSE 11.1 :

The following packages need to be installed :

clamav
dazuko
postfix

Execute modprobe dazuko (as root)

Run lsmod and check that dazuko is loaded:

Edit /etc/init.d/boot.local

Add:
modprobe dazuko

Edit /etc/clamd.conf

Enable logging by activating :
LogFile /var/log/clamd

* Activate:
# Path to a local socket file the daemon will listen on.
LocalSocket /var/lib/clamav/clamd-socket

ESET, the leader in proactive threat protection, today announced that it received a CNET Editors’ Choice award for ESET Smart Security 4, the recently updated integrated security solution combining antivirus, anti-spyware and anti-spam functionality with a personal firewall. The coveted CNET Editors’ Choice award recognizes outstanding consumer electronics that represent the best available choice for quality, performance, design, service, value, and its logo is a mark of excellence denoting the best possible investment for consumers.

CNET Editors’ Choice winners are recognized as top products in their respective technology categories, and contribute to the standard by which all future products are judged. A key selection requirement is that it must also change the competitive landscape of its market, whether through innovative features, exceptional value for the price, remarkable ease of use, or a demonstrable boost to the lives of its users.

“ESET Smart Security is surprisingly light, consuming around 50MB of RAM when running, and ESET NOD32 has consistently scored near the top of several independent antivirus testing organization ratings for finding the most malware while encountering fewer false positives than most,” said Seth Rosenblatt, senior associate editor, CNET Downloads. “For getting all your security tools in one box, Smart Security is an effective and well-respected choice.”

“We are very excited about this honor from CNET as their Editors’ Choice award has become the hallmark of technology quality and innovation, and its logo is a symbol consumers know and trust,” said Anton Zajac, CEO, ESET LLC. “This is an exceptional achievement and we are very proud to be recognized for our dedication and commitment to providing users with the most advanced protection from evolving security threats.”

Built on the same engine that powers ESET NOD32 Antivirus, ESET Smart Security 4 also features anti-spam and firewall functionality, both of which received high marks in usability and effectiveness. ESET’s detection and diagnostic features safeguard users from deceptive forms of malware by digging deeper into the operating system, files and encrypted browser traffic to identify and eliminate hidden malware threats. ESET Smart Security 4 proactively blocks most new malware attacks before they can compromise systems or steal data.

ADAOX Middle East, the regional business development centre of ESET NOD32 Antivirus, today announced the launch of the latest versions of ESET’s award-winning security solutions – ESET Smart Security 4 and ESET NOD32 Antivirus 4 in the Middle East region. ESET’s new generation security solutions deliver its most effective protection against emerging threats. Built on the unique and time-tested ThreatSense technology that has made ESET into a leader in proactive protection – ESET Smart Security 4 and ESET NOD32 Antivirus 4 – were optimized for even greater protection and enhanced usability, while retaining their signature small system footprint.

“We are delighted to launch ESET Smart Security 4 and ESET NOD32 Antivirus 4 to our customers in the Middle East, who have come to trust ESET’s proactive protection immensely. Version 4 of these security solutions surpasses all previous versions and is the most effective software to combat malware and emerging threats.We are confident these new security solutions will be well received by our customers and partners in this region,” said Neo Neophytou, Managing Director of ADAOX Middle East.

Key benefits:

o Protection from the Unknown – Award-winning ThreatSense technology delivers the most effective protection against new attacks on the market.
o Built for Speed – ESET’s solutions are lightning fast, delivering superior scanning performance.
o Easy on System Resources – ESET typically uses only 35-40MB of system memory, a fraction of what other products consume. Laptop users will welcome the new automatic energy-conserving battery mode.
o Easy on You – more user friendly than ever before – from the compact and intuitive interface, the minimal use of alerts, to self-training firewall – you will be up and running in a snap, hardly noticing the solution quietly working in the background.

Users at home, but especially in SMB and large enterprises will come to appreciate dozens of useful new features and improvements in usability. On top of being faster and lighter, in ESET Smart Security 4 and ESET NOD32 Antivirus 4 include the following:

• Self-Defense – a built-in technology to prevent malicious software from corrupting or disabling the system’s security.
• SysRescue – allows user to create computer recovery medium on a CD and USB key for system boot-up.
• Portable media access control, including USB, CD, flash disc, closing this vector of potential malware infiltration.
• Encrypted communication – developed for Windows XP and Windows Vista to scan HTTPs and POP3s protocols for malware. Included is also the so-called “learning mode,” for the state-of-the-art firewall, affording even greater level of protection.
• Support of More E-mail clients, including Windows Mail, Windows Live Mail and Mozilla Thunderbird
• Non-Graphical User Interface with the option to switch automatically to high contrast mode when in Windows.
• Smart Optimalization – function permitting increase in the scanning speed
• Integrated ESET SysInspector – a powerful diagnostic tool for in-depth analysis of the operating system, including running processes, registry content, startup items and network connections.
• Integrated Anti-Stealth – advanced technology to protect against rootkits
• Support for CISCO Network Admission Control

“ESET Smart Security 4 is the result of ESET´s continuous quest for perfection in PC security. We´ve in essence created artificial intelligence that is incredibly efficient and fast in recognizing malware,” Miroslav Trnka, CEO of ESET.ESET Smart Security 4 was developed as a highly streamlined solution integrating 4 functionalities: antivirus, antispyware, antispam, and a personal firewall.

ESET Smart Security 4 Business Edition includes a Remote Administrator and a LAN update “mirror” function to easily monitor and update workstations across large networks.